One of the greatest challenges that organizations face today is controlling access to sensitive data. With the rise in data security and data privacy regulations (HIPAA, GDPR, CCPA, etc), it’s critical that businesses have policies and controls in place to ensure that employees have the right access to the right data needed to fulfill their responsibilities—while keeping out those who don’t need access.
Onboarding employees with the correct access is important, but it’s equally, if not more, critical that the policies and procedures are in place to revoke access when employees leave an organization. Policies and tools need to be in place to systematically ensure that the least privileged access is maintained for users over time, to avoid ‘privilege black-holes’ whereby a user retains access to resources that they no longer require.
The most common solution to ensure proper access levels are enforced, which is both effective and yet simple, is to implement Role-Based Access Control (RBAC). RBAC is the mechanism used by most organizations, whether large enterprises or startups, to restrict access to resources or information within the organization. Typically, RBAC is implemented under the principle of least privilege where employees, contributors, or automated agents should only have access to resources they need to fulfill their responsibilities and nothing else. Basically, RBAC defines who has access to what.
The key pillars of RBAC are:
- Permissions: define what type of action someone can take, which can be either none, or one or multiple of create, read, update, and delete (CRUD) operations.
- Roles: define the control level that a person or automated agent has
- Authorization: defines if a person or agent is authorized to assume a given role
Benefits of RBAC
The benefits to the organization of RBAC are huge, especially around security. By restricting access to data to the teams that really need it to do their jobs, the risks of data breaches are also reduced. Additionally, by providing context-level access to information relevant to each employee, you help them focus on their job and get more actionable information, hence improving efficiency.
Implementing RBAC has far-reaching benefits for every organization, such as:
Improved efficiency: RBAC allows organizations to give access to the right information and processes to the employees that have the responsibility to handle that area of the structure. As new employees are hired, RBAC adds efficiency to the process of giving employees access as they become part of a team. Ideally, RBAC should be automated across all applications so that as the organization adds an employee to an identity management solution, all connected systems automatically update their respective access and permissions. Other situations where this adds efficiency: adding an existing employee to a new team, needing to grant new (or remove existing) permissions from everyone on an existing team (e.g. “contractors only had read access before on project XYZ, but now we need all contractors to also have write access”).
Compliance alignment: RBAC can be the backbone of a compliance strategy as it enforces access policies at the system and resources level, and can map system roles to organizations’ compliance policies. RBAC can enforce an access matrix that defines who is able to access what and with what permission to comply with organizations’ needs. Examples of regulatory compliance standards that require include HIPAA, SOX, SOC 2, and ISO 27001
Oversight visibility: One very important benefit of RBAC is that it allows administrators (or system auditors) to have the specific role and credentials needed to view user access information and ensure that only authorized users have the permission to access the areas of the organization that are supposed to in order for them to do their jobs.
Data leak prevention: With proper RBAC policies in place, organizations can ensure that only the right personnel have access to the information they need to do their jobs and nothing else, and as such reduce possible data breaches.
Applying RBAC to cloud cost management
Cloud cost optimization relies on empowered engineering teams having access to the right information they need to make smart cloud cost decisions. The information needs to be accurate, specific, and actionable to the teams that own the cloud resources that are generating cloud spend.
It’s important that both Engineering / DevOps and Finance / FinOps teams understand cloud costs for their branch of the organization, and in large organizations there may be many teams that focus on various parts of the business. Engineers need to be given recommendations that are meaningful to their application responsibilities, rather than being presented with all possible recommendations, most of which won’t apply to them. Attributing cloud costs to the correct stakeholders is the only way to present recommendations that are truly actionable and in the correct context.
As such, RBAC is a key pillar to achieving the goal of correct cloud cost attribution. It allows for the correct definition of who needs to have access to what information and which type of access is useful for that employee. A good example that relates to cloud cost management is data privacy between separate divisions of an organization. If two team leaders are heads of separate departments, it isn’t helpful for them to have visibility into the other departments’ cloud spend and recommendations, as they don’t need that information to do their jobs. Conversely, finance and the head of engineering would need to see all of the cloud cost data across divisions to manage budgets and cost of goods sold (COGS).
RBAC for user management
Today, many organizations are very dynamic and have users that often change roles, as well as employees that join or leave the organization. To make the process of managing users efficiently, a good approach is to always have users associated with roles via a user-group construct so that when there is a need to provide access to new resources in the organization it can be done at the group level rather than at individual user level, which would lead to a nightmare of keeping track of who has access to what.
How RBAC applies to business contexts and personas
An important aspect to consider when designing your cloud cost management solution is to think about what each stakeholder or persona needs to do their job. There are certain types of information and actions that make sense for an engineering team, or a DevOps team, whereas the finance team has different roles. For example, engineers need to see recommendations that allow them to rightsize or terminate unused resources, whereas the finance team may be more concerned with budgeting and forecasting. The key is to define the right level of visibility and control that each person needs to have at each business-context level.
Yotascale empowers engineering and FinOps teams with RBAC
Yotascale gives a complete view of your multi-cloud infrastructure spend, including containers and Kubernetes, and empowers your engineering and FinOps teams with the most accurate cloud cost allocation, actionable recommendations, and continuous cloud cost anomaly detection.
The Yotascale RBAC model is ready-to-use with the most common roles and respective user groups out of the box. As organizations map their existing organization groups to the Yotascale groups, we achieve an accurate mapping of the level of access to visibility and control for each business context.
As a best practice, you should consider not creating too many roles as that could render RBAC useless. Also, a good practice is to often audit roles and permissions to ensure that the correct level is still relevant.
You should allow for audit user roles (which only need read-only access) to be able to view all cloud costs and be able to identify if cloud cost spikes are being handled properly by the respective resource owners.
RBAC is only one of the multiple tools to consider when defining your cloud cost management solution. At Yotascale we have carefully considered all the complexity of dealing with the different personas in large enterprise organizational structures. We are also deeply invested in making things easy and we know how to create effective RBAC models that help you map your personas with their different perspectives to your cloud cost management strategy.